b'                             OFFICE OF\n                      THE INSPECTOR GENERAL\n\n\n                          U.S. NUCLEAR\n                     REGULATORY COMMISSION\n\n\n                        Review of NRC\xe2\x80\x99s Accountability\n                           and Control of Software\n\n                       OIG-02-A-02     October 26, 2001\n\n\n\n\n                          AUDIT REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                               NRC\xe2\x80\x99s website at:\n                     http://www.nrc.gov/NRC/OIG/index.html\n\x0c                                             October 26, 2001\n\n\n\n\nMEMORANDUM TO:                William D. Travers\n                              Executive Director for Operations\n\n\n\nFROM:                         Stephen D. Dingbaum/RA/\n                              Assistant Inspector General for Audits\n\n\nSUBJECT:                      REVIEW OF NRC\xe2\x80\x99S ACCOUNTABILITY AND CONTROL\n                              OF SOFTWARE (OIG-02-A-02)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s audit report titled, Review of NRC\xe2\x80\x99s\nAccountability and Control of Software.\n\nThis report reflects the results of our review to determine whether NRC\xe2\x80\x99s policies governing the\ncontrol of software and software licensing agreements comply with applicable laws and\nregulations, and whether management controls are adequate to account for software and\nensure that software is properly licensed. Executive Order (EO) 13103, Computer Software\nPiracy, requires all executive agencies to adopt policies and procedures to promote legal\nsoftware use and proper software management. The review determined that NRC is not in\ncompliance with the EO because its policies (management directives) and its procedures\n(management controls) do not address the full scope of the EO\xe2\x80\x99s requirements. As a result,\nNRC needs to incorporate EO requirements into its Management Directives System and\nimplement measures to carry out the EO.\n\nAt an exit conference held on October 17, 2001, NRC officials generally agreed with the report\xe2\x80\x99s\nfindings and recommendations. While agency officials chose not to provide a formal, written\nresponse for inclusion in the report, they did provide editorial suggestions, which have been\nincorporated where appropriate.\n\nIf you have any questions, please contact Tony Lipuma at 415-5910 or me at 415-5915.\n\nAttachments: As stated\n\ncc:     John Craig, OEDO\n\x0cR. McOsker, OCM/RAM\nB. Torres, ACMUI\nB. Garrick, ACNW\nD. Powers, ACRS\nJ. Larkins, ACRS/ACNW\nP. Bollwerk III, ASLBP\nK. Cyr, OGC\nJ. Cordes, OCAA\nS. Reiter, CIO\nJ. Funches, CFO\nP. Rabideau, Deputy CFO\nJ. Dunn Lee, OIP\nD. Rathbun, OCA\nW. Beecher, OPA\nA. Vietti-Cook, SECY\nW. Kane, DEDR/OEDO\nC. Paperiello, DEDMRS/OEDO\nP. Norry, DEDM/OEDO\nM. Springer, ADM\nR. Borchardt, NRR\nG. Caputo, OI\nP. Bird, HR\nI. Little, SBCR\nM. Virgilio, NMSS\nS. Collins, NRR\nA. Thadani, RES\nP. Lohaus, OSP\nF. Congel, OE\nM. Federline, NMSS\nR. Zimmerman, RES\nJ. Johnson, NRR\nH. Miller, RI\nL. Reyes, RII\nJ. Dyer, RIII\nE. Merschoff, RIV\nOPA-RI\nOPA-RII\nOPA-RIII\nOPA-RIV\n\x0c                                              Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\nEXECUTIVE SUMMARY\n\n    BACKGROUND\n\n          On September 30, 1998, the President signed Executive Order (EO)13103,\n          Computer Software Piracy, requiring all executive agencies to adopt policies and\n          procedures to promote legal software use and proper software management.\n          EO 13103 also directed the Federal Chief Information Officers (CIO) Council to\n          improve agency practices concerning acquisition and use of software, and\n          combating the use of unauthorized software. In August 1999, the CIO Council\n          published agency guidelines to promote legal software usage.\n\n    PURPOSE\n\n          The objectives of the audit were to determine whether the U.S. Nuclear\n          Regulatory Commission\xe2\x80\x99s (NRC) (1) policies governing the accountability and\n          control of software and software licensing agreements comply with applicable\n          laws and regulations, and (2) management controls are adequate to account for\n          software and ensure that software is properly licensed.\n\n    RESULTS IN BRIEF\n\n          NRC is not in compliance with EO 13103. NRC\xe2\x80\x99s policies (management\n          directives) and its procedures (management controls) do not address the full\n          scope of EO 13103\'s requirements because (1) NRC focused its actions on\n          personal use, not all uses of software, and (2) the agency planned to change the\n          business approach for its information technology resources. As a result, NRC\n          has not conducted an initial assessment of its software, established a baseline\n          for software inventory, or determined if all software on agency computers is\n          authorized. The lack of adequate policies and procedures leaves the NRC, its\n          employees, and its contractors vulnerable to the consequences of unauthorized\n          software use -- which may include fines and imprisonment.\n\n    RECOMMENDATIONS\n\n          This report makes six recommendations to the Executive Director for Operations\n          to improve NRC\xe2\x80\x99s accountability and control of software and respective licensing\n          agreements. Recommendations can be found at page 5 of this report.\n\n    AGENCY COMMENTS\n\n          At an exit conference held on October 17, 2001, NRC officials generally agreed\n          with the report\xe2\x80\x99s findings and recommendations. While agency officials chose\n          not to provide a formal, written response for inclusion in the report, they did\n          provide editorial suggestions, which have been incorporated where appropriate.\n\n\n                                          i\n\x0c                    Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               ii\n\x0c                                              Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\nABBREVIATIONS AND ACRONYMS\n\n   CIO      Chief Information Officer\n   EO       Executive Order\n   MD       Management Directive\n   NRC      Nuclear Regulatory Commission\n   OCIO     Office of the Chief Information Officer\n   OIG      Office of the Inspector General\n\n\n\n\n                                        iii\n\x0c                   Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              iv\n\x0c                                                                 Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\nTABLE OF CONTENTS\n\n    EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i\n    ABBREVIATIONS AND ACRONYMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii\n    I. BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n    II. PURPOSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2\n    III. FINDING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2\n              NRC IS NOT IN COMPLIANCE WITH EXECUTIVE ORDER 13103 . . . . . . . . . 2\n\n\n    APPENDICES\n              A. SCOPE AND METHODOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7\n              B. EXECUTIVE ORDER 13103, COMPUTER SOFTWARE PIRACY . . . . . . . . 9\n              C. CHIEF INFORMATION OFFICERS COUNCIL GUIDELINES . . . . . . . . . . 13\n              D. MEMORANDUM TO NRC\xe2\x80\x99S CHIEF INFORMATION OFFICER . . . . . . . . . 19\n              E. MEMORANDUM FROM NRC\xe2\x80\x99S CHIEF INFORMATION OFFICER . . . . . . 21\n\n\n\n\n                                                             v\n\x0c                   Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              vi\n\x0c                                                           Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\nI. BACKGROUND\n\n                 On September 30, 1998, the President signed Executive Order (EO) 13103,\n                 Computer Software Piracy, requiring all executive agencies to ensure\n                 compliance with applicable copyright laws. EO 13103 also directed the Federal\n                 Chief Information Officers (CIO) Council to advise and recommend to executive\n                 agencies and the Office of Management and Budget \xe2\x80\x9cgovernment-wide\n                 measures to carry out this order.\xe2\x80\x9d Appendix B contains the full text of EO 13103.\n\n                 In August 1999, the CIO Council adopted guidelines for implementing EO 13103,\n                 including recommended software management practices (see Appendix C). The\n                 General Services Administration then distributed these guidelines to Government\n                 agencies.\n\n                 Computer software is protected by Federal copyright law,1 which requires users\n                 of a particular program to have a software licensing agreement2 authorizing its\n                 use. Under U.S. copyright law, the copying of a copyrighted work without the\n                 permission of its author may subject the copier to civil and criminal penalties.3\n                 For example, in May 2001, a Federal jury in Chicago returned a guilty verdict\n                 involving software piracy conspiracy. Individuals conspired to infringe the\n                 copyright of more than 5,000 computer software programs that were available\n                 through an Internet site. The pirated software had a retail value in excess of $1\n                 million. The civil penalties for copyright infringement include up to a $150,000\n                 fine for each work infringed. Additionally, depending on the circumstances,\n                 criminal penalties could be imposed.\n\n                 As of September 30, 2000, the U.S. Nuclear Regulatory Commission (NRC) had\n                 capitalized software with a value of more than $53.1 million with an additional\n                 $7.738 million representing software under development.4 Financial data for\n                 noncapitalized software (valued under $50,000) is not available because NRC\n                 does track all software or its value.\n\n\n\n\n       1\n         Copyright Law is contained in Title 17 of the United States Code. The Copyright Revision Act\nof 1976 (Public Law 94-553), effective January 1, 1978, was amended in 1980 to include computer\nsoftware under the category of \xe2\x80\x9cliterary works.\xe2\x80\x9d\n       2\n           A software publisher\xe2\x80\x99s license typically restricts copying of software to specific conditions.\n       3\n           18 U.S.C. 2318, 2319 and 2319A.\n\n       4\n         Independent Auditors\xe2\x80\x99 Report and Principal Statements for the Year Ended September 30,\n2000, OIG-01-A-06/March 1, 2001.\n\n                                                       1\n\x0c                                                Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\nII. PURPOSE\n\n           The objectives of the audit were to determine whether the NRC\xe2\x80\x99s (1) policies\n           governing the accountability and control of software and software licensing\n           agreements comply with applicable laws and regulations, and (2) management\n           controls are adequate to account for software and ensure that software is\n           properly licensed.\n\n\nIII. FINDING\n\n     A. NRC IS NOT IN COMPLIANCE WITH EXECUTIVE ORDER 13103\n\n           NRC is not in compliance with EO 13103, which requires executive agencies to\n           comply with applicable Federal copyright laws and with the CIO Council\n           recommended software management practices. NRC\xe2\x80\x99s policies (management\n           directives) and its procedures (management controls) do not address the full\n           scope of EO 13103 requirements because: (1) NRC focused its actions on\n           personal use, not all uses of software, such as official business use; and (2) the\n           agency planned to change the business approach for its information technology\n           resources. As a result, NRC has not conducted an initial assessment of its\n           software, established a baseline for software inventory, or determined if all\n           software on agency computers is authorized. The lack of adequate policies and\n           procedures leaves the NRC, its employees, and its contractors vulnerable to the\n           consequences of unauthorized software use -- which may include fines and\n           imprisonment.\n\n           NRC\xe2\x80\x99s Management Directives Do Not Address the Full Scope of Executive\n           Order 13103\n\n           Management Directive (MD) 1.1, NRC Management Directives System,\n           establishes the agency\xe2\x80\x99s management directives system as the basis for\n           communicating \xe2\x80\x9cNRC policies, requirements, and procedures necessary for the\n           agency to comply with Executive orders, pertinent laws, regulations, and the\n           circulars and directives of other Federal agencies.\xe2\x80\x9d Thus, the management\n           directives system is the appropriate vehicle to address EO 13103\'s\n           requirements.\n\n           On May 9, 2001, NRC issued MD 2.7, Personal Use of Information Technology,\n           which addresses some of the EO\xe2\x80\x99s requirements. However, the EO does not\n           focus on just personal use; it addresses all uses of software, as does the CIO\n           Council\xe2\x80\x99s implementing guidelines.\n\n           MD 2.7 defines personal use as \xe2\x80\x9c[a]n employee\xe2\x80\x99s activity that is conducted for\n           purposes other than accomplishing official or otherwise authorized activity.\xe2\x80\x9d\n\n\n                                            2\n\x0c                                                      Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n               NRC permits employees limited use of agency information technology (including\n               software) for personal needs if the use does not interfere with official business\n               and involves minimal additional expense. This directive details inappropriate\n               personal use, some of which corresponds to the EO\xe2\x80\x99s admonition against\n               inappropriate use. Employees are admonished against \xe2\x80\x9cunauthorized\n               acquisition, use, reproduction, transmission, or distribution of any controlled\n               information, including computer software.\xe2\x80\x9d Although MD 2.7 addresses personal\n               use, it does not address all uses of software. For example, it does not address\n               government purchased software (under a single license) that might be installed\n               at multiple locations, or employee purchased software used for official activities.\n\n               To fully comply with EO 13103, NRC\xe2\x80\x99s management directives must address all\n               types of software usage.\n\n               Agency\xe2\x80\x99s Software Management Controls Do Not Implement the CIO\n               Council\xe2\x80\x99s Guidelines\n\n               As required, the CIO Council established guidelines to implement EO 13103 in\n               August 1999. The guidelines recommended that \xe2\x80\x9cEach Federal agency should\n               consider these or similar steps to ensure agency compliance\xe2\x80\x9d with EO 13103.\n               The guidelines provide that agency CIOs should be assigned overall\n               responsibility for developing and implementing plans to ensure compliance.\n\n               The CIO Council\xe2\x80\x99s guidance also recommended that agency CIOs review\n               whether existing procedures promote legal software use and proper software\n               management. Suggested procedures in the CIO Council\xe2\x80\x99s guidelines include (1)\n               making an initial assessment of the agency\xe2\x80\x99s existing policies and practices with\n               respect to the use and management of software, (2) establishing an initial\n               baseline of the agency\xe2\x80\x99s software to assess whether the agency\xe2\x80\x99s software\n               usage complies with applicable software licenses,5 (3) preparing agency\n               inventories of software present on its computers, (4) determining what software\n               the agency is authorized to use, and (5) developing and maintaining adequate\n               record keeping systems. The entire text of the CIO Council guidelines is shown\n               in Appendix C.\n\n               As stated, MD 2.7 only addresses personal use policy and does not reference\n               additional policies or procedures that implement the CIO Council guidelines. For\n               example, NRC has not conducted an initial assessment, established a baseline\n               for software inventory, or determined if all software on agency computers is\n               authorized.\n\n\n\n\n       5\n          This should include software on individual computers and software accessed through the\nagency networks. Upon completion of the initial baseline, any unauthorized copies of software should\nbe (1) properly licensed or (2) destroyed and replaced with licensed copies.\n\n                                                  3\n\x0c                                     Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\nInadequate controls over agency software are exacerbated by the agency\xe2\x80\x99s\nprocedures for permitting individual offices to purchase and control software.\nNeither the Office of the Chief Information Officer (OCIO) nor other NRC offices\nadequately control agency software. The Office of the Inspector General\xe2\x80\x99s\n(OIG\xe2\x80\x99s) discussions with representatives from NRC\xe2\x80\x99s larger offices disclosed that\nnone maintain a software inventory that accounts for all licensed software\ninstalled on their computers.\n\nImplementation Focused On Personal Use and a Changing Information\nTechnology Environment\n\nOCIO staff stated that the agency has not fully implemented EO 13103 because\nOCIO (1) focused on personal software use (MD 2.7), which they considered to\nbe a high priority area; and (2) planned to change its business approach for\nmanaging NRC information technology resources.\n\nOCIO staff acknowledged that MD 2.7 is the primary policy directive that\naddresses segments of EO 13103\xe2\x80\x99s requirements. They stated that MD 12.5,\nNRC Automated Information Systems Security Program, revised February 1,\n1999, also addresses some of the concepts contained in the EO. However,\nOCIO staff acknowledged that the management directives system should contain\nmore policy guidance to fully implement the EO.\n\nOCIO staff also advised that EO 13103 has not been fully implemented because\nof the forthcoming seat management contract. Under seat management, an\nagency contractor procures and manages hardware, software, and related\nsupport services.\n\nOCIO staff was advised that OIG\xe2\x80\x99s review of the statement of work for the\nproposed seat management contract determined that the contract did not clearly\ndescribe a contractor\xe2\x80\x99s responsibility for meeting the EO\xe2\x80\x99s requirements. OCIO\nstaff stated that meeting these requirements will be a shared responsibility of the\nagency and the prospective contractor. Because neither the division of\nresponsibility nor the need to meet EO 13103\'s requirements are clear, OIG\nrecommended that the contract be specific about the duties assigned to the\nsuccessful contractor. OIG provided these concerns and a recommendation to\nNRC\xe2\x80\x99s CIO in a memorandum dated August 31, 2001 (see Appendix D). The\nCIO\xe2\x80\x99s response can be found in Appendix E.\n\nOCIO staff advised that, while improvements are needed, they are sensitive to\nhonoring software licensing agreements and using only legal software. OCIO\nstaff concluded that the MDs should include the full spectrum of controls\nestablished in EO 13103 and the CIO Council\xe2\x80\x99s implementing guidance. They\nadvised OIG that additional policy and guidance will be forthcoming.\n\n\n\n\n                                 4\n\x0c                                     Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\nInadequate Policies and Controls Put the Agency At Risk\n\nBecause NRC\xe2\x80\x99s guidance to date is directed at personal software usage, NRC is\nnot in compliance with EO 13103. Neither OCIO nor individual offices have\nadequate software controls that meet the EO\xe2\x80\x99s requirements. As a result, the\nagency does not adequately safeguard its property or know its degree of\ncompliance with software licenses.\n\nInadequate controls can lead to loss or misuse of agency property. Furthermore,\nuse of unauthorized software could tarnish the agency\xe2\x80\x99s reputation and subject\nit, its employees, and its contractors to significant legal penalties, such as fines\nor imprisonment. In addition, NRC could be required to delete any unlicensed\nsoftware from its computer systems and purchase replacement copies.\n\nRECOMMENDATIONS\n\nOIG recommends that the Executive Director for Operations:\n\n1.     Incorporate the requirements of Executive Order 13103, Computer\n       Software Piracy, and the provisions of the Chief Information Officers\n       Council August 1999 guidance into NRC\xe2\x80\x99s Management Directives\n       System.\n\n2.     Issue interim guidance on software use until NRC\xe2\x80\x99s Management\n       Directives System is updated.\n\n3.     Institute property management accountability and controls for all\n       software.\n\n4.     Incorporate Executive Order 13103, Computer Software Piracy,\n       provisions into the seat management contract.\n\n5.     Develop procedures for monitoring compliance with Executive Order\n       13103, Computer Software Piracy.\n\n6.     Establish a documented inventory of all authorized software on agency\n       computers and remove all unauthorized software.\n\n\n\n\n                                 5\n\x0c                   Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               6\n\x0c                                                                                      Appendix A\n                                             Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\n\nSCOPE AND METHODOLOGY\n\n        To accomplish the audit objectives, the Office of the Inspector General (OIG)\n        reviewed and analyzed pertinent laws, regulations, authoritative guidance, and\n        prior agency OIG and U.S. General Accounting Office reports. In addition, OIG\n        identified, analyzed, and compared NRC guidance with the aforementioned\n        criteria. OIG interviewed NRC staff to identify agency policies governing the\n        accountability and control of software and compliance with licensing agreements,\n        and to determine current issues, problems, or known deficiencies. OIG\n        interviewed staff in the Offices of the Chief Information Officer, Chief Financial\n        Officer, Nuclear Reactor Regulation, Nuclear Material Safety and Safeguards,\n        and Administration to determine responsibilities for purchasing and controlling\n        software and licensing agreements.\n\n        Management controls relevant to the audit were reviewed and analyzed.\n        Throughout the review, auditors were aware of the possibility or existence of\n        fraud, waste or misuse in the program under review. OIG conducted the audit in\n        accordance with Generally Accepted Government Auditing Standards from June\n        through August 2001.\n\n        The major contributors to this report were Anthony Lipuma, Team Leader;\n        Steven Zane, Audit Manager; and Michael Steinberg, Senior Auditor.\n\n\n\n\n                                         7\n\x0c                   Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               8\n\x0c                                                                                             Appendix B\n                                                    Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\n\nEXECUTIVE ORDER 13103, COMPUTER SOFTWARE PIRACY\n\nTHE WHITE HOUSE\nOffice of the Press Secretary\nFor Immediate Release                                                                 October 1, 1998\nEXECUTIVE ORDER\nCOMPUTER SOFTWARE PIRACY\n\nThe United States Government is the world\'s largest purchaser of computer-related services\nand equipment, purchasing more than $20 billion annually. At a time when a critical component\nin discussions with our international trading partners concerns their efforts to combat piracy of\ncomputer software and other intellectual property, it is incumbent on the United States to\nensure that its own practices as a purchaser and user of computer software are beyond\nreproach. Accordingly, by the authority vested in me as President by the Constitution and the\nlaws of the United States of America, it is hereby ordered as follows:\n\nSection 1. Policy. It shall be the policy of the United States Government that each executive\nagency shall work diligently to prevent and combat computer software piracy in order to give\neffect to copyrights associated with computer software by observing the relevant provisions of\ninternational agreements in effect in the United States, including applicable provisions of the\nWorld Trade Organization Agreement on Trade-Related Aspects of Intellectual Property Rights,\nthe Berne Convention for the Protection of Literary and Artistic Works, and relevant provisions\nof Federal law, including the Copyright Act.\n\n(a) Each agency shall adopt procedures to ensure that the agency does not acquire,\nreproduce, distribute, or transmit computer software in violation of applicable copyright laws.\n\n(b) Each agency shall establish procedures to ensure that the agency has present on its\ncomputers and uses only computer software not in violation of applicable copyright laws. These\nprocedures may include: (1) preparing agency inventories of the software present on its\ncomputers; (2) determining what computer software the agency has the authorization to use;\nand (3) developing and maintaining adequate record keeping systems. (c) Contractors and\nrecipients of Federal financial assistance, including recipients of grants and loan guarantee\nassistance, should have appropriate systems and controls in place to ensure that Federal funds\nare not used to acquire, operate, or maintain computer software in violation of applicable\ncopyright laws. If agencies become aware that contractors or recipients are using Federal funds\nto acquire, operate, or maintain computer software in violation of copyright laws and determine\nthat such actions of the contractors or recipients may affect the integrity of the agency\'s\ncontracting and Federal financial assistance processes, agencies shall take such measures,\nincluding the use of certifications or written assurances, as the agency head deems appropriate\nand consistent with the requirements of law. (d) Executive agencies shall cooperate fully in\nimplementing this order and shall share information as appropriate that may be useful in\ncombating the use of computer software in violation of applicable copyright laws.\n\n\n                                                9\n\x0c                                                                                              Appendix B\n                                                     Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\nSec. 2. Responsibilities of Agency Heads. In connection with the acquisition and use of\ncomputer software, the head of each executive agency shall:\n\n(a) ensure agency compliance with copyright laws protecting computer software and with the\nprovisions of this order to ensure that only authorized computer software is acquired for and\nused on the agency\'s computers; (b) utilize performance measures as recommended by the\nChief Information Officers Council pursuant to section 3 of this order to assess the agency\'s\ncompliance with this order; (c) educate appropriate agency personnel regarding copyrights\nprotecting computer software and the policies and procedures adopted by the agency to honor\nthem; and (d) ensure that the policies, procedures, and practices of the agency related to\ncopyrights protecting computer software are adequate and fully implement the policies set forth\nin this order.\n\nSec. 3. Chief Information Officers Council. The Chief Information Officers Council ("Council")\nestablished by section 3 of Executive Order No. 13011 of July 16, 1996, shall be the principal\ninteragency forum to improve executive agency practices regarding the acquisition and use of\ncomputer software, and monitoring and combating the use of unauthorized computer software.\nThe Council shall provide advice and make recommendations to executive agencies and to the\nOffice of Management and Budget regarding appropriate government-wide measures to carry\nout this order. The Council shall issue its initial recommendations within 6 months of the date of\nthis order.\n\nSec. 4. Office of Management and Budget. The Director of the Office of Management and\nBudget, in carrying out responsibilities under the Clinger-Cohen Act, shall utilize appropriate\noversight mechanisms to foster agency compliance with the policies set forth in this order. In\ncarrying out these responsibilities, the Director shall consider any recommendations made by\nthe Council under section 3 of this order regarding practices and policies to be instituted on a\ngovernment-wide basis to carry out this order.\n\nSec. 5. Definition. "Executive agency" and "agency" have the meaning given to that term in\nsection 4(1) of the Office of Federal Procurement Policy Act (41 U.S.C. 403(1)).\n\nSec. 6. National Security. In the interest of national security, nothing in this order shall be\nconstrued to require the disclosure of intelligence sources or methods or to otherwise impair the\nauthority of those agencies listed at 50 U.S. 401a(4) to carry out intelligence activities.\n\nSec. 7. Law Enforcement Activities. Nothing in this order shall be construed to require the\ndisclosure of law enforcement investigative sources or methods or to prohibit or otherwise\nimpair any lawful investigative or protective activity undertaken for or by any officer, agent, or\nemployee of the United States or any person acting pursuant to a contract or other agreement\nwith such entities.\n\nSec. 8. Scope. Nothing in this order shall be construed to limit or otherwise affect the\ninterpretation, application, or operation of 28 U.S.C. 1498.\n\n\n                                                10\n\x0c                                                                                           Appendix B\n                                                  Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\nSec. 9. Judicial Review. This Executive order is intended only to improve the internal\nmanagement of the executive branch and does not create any right or benefit, substantive or\nprocedural, at law or equity by a party against the United States, its agencies or\ninstrumentalities, its officers or employees, or any other person.\n\n                                   WILLIAM J. CLINTON\n                                   THE WHITE HOUSE,\n                                   September 30, 1998.\n\n\n\n\n                                             11\n\x0c                   Review of NRC\xe2\x80\x99s Accountability an Control of Software\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              12\n\x0c                                                                                      Appendix C\n                                             Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\n\nCHIEF INFORMATION OFFICERS COUNCIL GUIDELINES\n\n                          Guidelines for Implementing the\n                              Executive Order 13103\n                                         on\n                            Computer Software Piracy\n                                Federal CIO Council\n                              Approved August, 1999\n                              TABLE OF CONTENTS\n\nI     INTRODUCTION\n      A.   Background\n      B.   Summary of Executive Order Requirements\n\nII    RECOMMENDED SOFTWARE MANAGEMENT PRACTICES\n      A.  Assign Responsibilities Chief Information Officer\n      B.  Initial Assessment\n      C.  Software Management Policy\n      D.  Training\n      E.  Periodic Inspections and Assessments\n\nIII   OTHER REQUIREMENTS\n\n\n\n\n                                        13\n\x0c                                                                                             Appendix C\n                                                    Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\n                                        Guidelines for\n                             Implementing the Executive Order\n                                              on\n                                  Computer Software Piracy\nThese Guidelines are issued by the CIO Council pursuant to the Executive Order on\nComputer Software Piracy (Executive Order 13103 \xe2\x80\x94 September 30, 1998). The Order\nrequires the Council to provide advice and make recommendations to executive\nagencies and to the Office of Management and Budget on appropriate government-wide\nmeasures to carry out the Order. In developing these Guidelines, the Council has\nattempted to balance each agency\'s obligation to comply with the directives of the Order\nagainst the need for flexibility in developing agency practices and procedures.\nAccordingly, the Guidelines suggest general best practices that promote legal use of\nsoftware without imposing rigid requirements to achieve this goal.\nNote: A software management toolkit with model policies and training materials will be\npublished separately to assist agencies with implementation of the Executive Order.\n\nI        INTRODUCTION\n         A. Background\nAs the nation\'s largest consumer of software, the U.S. Government has an essential role to play\nin setting an example for the nation as a lawful user of computer software. Computer software\nis protected by Federal copyright law, which requires users of a particular software program to\nhave a license authorizing such use. To provide guidance to Federal agencies in fulfilling this\nrole, President Clinton issued the Executive Order on Computer Software Piracy (Executive\nOrder 13103 -September 30, 1998) (Order), which seeks to:\n                #      Ensure that executive agencies of the U.S. Government acquire,\n                       reproduce, distribute, transmit, and use computer software in compliance\n                       with international treaty obligations and federal law, including the\n                       Copyright Act;\n                #      Ensure that executive agencies maintain only legal software on their\n                       computers and computer networks; and\n                #      Ensure that Government contractors and recipients of grants and other\n                       Federal funding do not use such funds to acquire, create, operate or\n                       maintain computer software in violation of applicable copyright laws.\n\n        B. Summary of Executive Order Requirements\nPresident Clinton signed the Executive Order on Computer Software Piracy on September 30,\n1998. The Order sets forth the Government\'s policy against the use, acquisition, reproduction,\ndistribution, and transmission of computer software that violates applicable copyright laws. To\nimplement this policy, the Order directs each executive agency to:\n\n              #       Adopt procedures to ensure that the agency does not acquire, reproduce,\n                      distribute, or transmit computer software in violation of applicable\n                      copyright laws;\n\n\n\n                                               14\n\x0c                                                                                           Appendix C\n                                                  Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\n              #      Establish procedures to ensure that the agency has present on its\n                     computers and uses only computer software not in violation of applicable\n                     copyright laws. These procedures may include:\n                     #        preparing agency inventories of the software present on its\n                              computers;\n                     #        determining what computer software the agency has authorization\n                              to use; and\n                     #        developing and maintaining adequate record keeping systems.\n              #      Take appropriate measures, including for example the use of\n                     certifications or written assurances, in the event the agency becomes\n                     aware that contractors or recipients of Federal financial assistance are\n                     using Federal funds to acquire, operate, or maintain computer software in\n                     violation of copyright laws and determines that such actions may affect\n                     the integrity of the agency\'s contracting and Federal financial assistance\n                     processes;\n              #      Cooperate fully in implementing the Order and share information that may\n                     be useful in combating the use of computer software in violation of\n                     applicable copyright laws;\n              #      Educate appropriate agency personnel regarding software copyrights and\n                     the policies and procedures adopted by the agency to honor them; and\n              #      Ensure that the policies, procedures, and practices of the agency related\n                     to copyrights protecting computer software are adequate and fully\n                     implement the policies set forth in the Order.\n\n                     The Executive Order also directs the Office of Management and Budget\n                     to use its oversight mechanisms to foster compliance with the Order.\n\nII     RECOMMENDED SOFTWARE MANAGEMENT PRACTICES\n       Each Federal agency should consider these or similar steps to ensure agency\n       compliance with the Order:\n\nA. Assign Responsibilities\n      Assign to the Chief Information Officer (CIO) overall responsibility for developing and\n      implementing a plan to ensure agency compliance with the Order utilizing resources\n      from throughout the organization. The CIO should look to these Guidelines as a\n      resource in developing such a plan. Other partner organizations within the agency may\n      be needed to properly implement this Executive Order. For example, the CIO may wish\n      to partner with the agency\'s Inspector General to conduct the initial assessment\n      described below in paragraph B; the Procurement Executive to develop and implement\n      the software management policies referenced in paragraph C; and Human Resources to\n      develop and implement the training program referenced in paragraph D. The CIO may\n      delegate specific tasks to appropriate personnel within the agency, provided that he or\n      she exercises sufficient supervision to ensure that such tasks are completed in a\n      satisfactory manner.\n\n\n                                             15\n\x0c                                                                                              Appendix C\n                                                     Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\n3.     Direct your CIO to develop performance measures to assess the agency\'s compliance\n       with the Order.\n\nB. Initial Assessment. The CIO should coordinate through qualified personnel or an outside\ncontractor an initial assessment of the agency\'s existing policies and practices with respect to\nthe use and management of computer software. The purpose of the assessment is to help the\nagency evaluate its current state of compliance with the Order and to identify any additional\nmeasures needed to achieve compliance. The assessment may vary from agency to agency.\nHowever, each agency should, at a minimum, review whether existing policies and procedures\npromote legal software use and proper software management (as described below in paragraph\n1). In addition, each agency should, to the extent feasible, establish the initial software baseline\ndescribed in paragraph 2, particularly if agency policies and procedures with respect to software\nuse and management are found to be deficient in any respect:\n\n1.     Review and identify deficiencies in existing policies and procedures, including\n       procedures for acquiring and installing software, storage and disposition of software and\n       licenses, and software training.\n\n2.     Establish an initial baseline of the agency\'s software (including copies installed on\n       individual computers and accessed through agency networks) to assess whether the\n       agency\'s software usage complies with applicable software licenses. The agency may\n       use a sampling approach to assess its existing software management policies and\n       practices. Upon completion of the initial baseline, any unauthorized copies of software\n       should be (i) properly licensed or (ii) destroyed and replaced with licensed copies.\n\nC. Software Management Policy. Develop a software management policy on the acquisition\nand use of software by the agency and its employees.\n\n1.     Adopt a policy prohibiting the use or installation of software by agency employees for\n       which the agency lacks appropriate licenses (unless such software is properly licensed\n       to the employee and used in accordance with agency policy).\n\n2.     Adopt a software acquisition policy to guard against the acquisition of counterfeit\n       software or software that violates licensing restrictions. The software acquisition policy\n       should, among other things, require the following procedures:\n       a.     Educate employees authorized to acquire software on the Agency\'s acquisition\n              procedures.\n       b.     To the extent feasible and consistent with agency acquisition procedures,\n              standardize the agency\'s policy of acquisition of software.\n       c.     Obtain from software resellers (i) proper licenses for any software supplied to the\n              agency, or (ii) other information from which the agency can determine that its\n              use of such software is validly licensed by the copyright holder.\n       d.     Purchase software from reputable resellers.\n\n\n\n\n                                                16\n\x0c                                                                                             Appendix C\n                                                    Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\n3.     To the extent feasible and consistent with agency acquisition procedures, adopt\n       software installation and distribution procedures to ensure that software: (i) originates\n       from the office(s) designated by the agency to acquire new software; (ii) is approved by\n       those office(s); or (iii) meets Agency IT architecture and standards requirements.\n\n4.     Establish and maintain a record keeping system for documentation and materials\n       evidencing legal use of the agency\'s software, including, for example, original software\n       licenses, certificates of authenticity, purchase invoices, and copy of completed\n       registration card. Consider the use of software management computer programs to\n       automate such record keeping. If feasible, store such records, as well as any original\n       software media (e.g., CD-ROMs or diskettes), in secure, designated location(s) within\n       the agency.\n\n5.     Include in the agency\'s software management policy provisions concerning the\n       downloading of software from the Internet by agency employees, the use of user-owned\n       software on agency computers, the use of agency-owned software from home or remote\n       computers, and the decommissioning of agency computers. Ensure that such uses of\n       software comply with applicable licenses and agency policy.\n\n6.     Include in the agency\'s software management policy information concerning the\n       authorities to whom employees can direct questions about the policy and report possible\n       violations of the policy.\n\n7.     Develop and adopt procedures for monitoring compliance with the software\n       management policy, addressing reports and incidents of alleged violations of the policy,\n       and disciplining employees who knowingly violate the policy or Federal copyright laws.\n\nD. Training. Develop a training program for existing and new employees.\n              1.    Existing Employees\n                    a.       Amend employee handbook to include the agency\'s software\n                             management policy, and distribute the updated handbook to all\n                             employees.\n                    b.       Provide training on the agency\'s software management policy for\n                             existing employees to inform them of the types of software piracy,\n                             how to detect and prevent piracy, how to implement the software\n                             use policy, and consequences of violating the policy. Such training\n                             may be conducted as a separate seminar or as a part of existing\n                             training programs.\n                    c.       Circulate reminders of the agency\'s software management policy\n                             on a regular basis (at least annually) or remind employees of the\n                             policy in other ways (at least annually), for example, through\n                             notices in agency newsletters.\n                    d.       Inform employees where they can get additional information on\n                             the agency\'s software management policy and software piracy\n                             prevention.\n\n                                               17\n\x0c                                                                                             Appendix C\n                                                    Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\n               2.     New Employees\n                      a.   Provide each new employee an employee handbook that includes\n                           the agency\'s software management policy.\n                      b.   Train new employees during their initial agency orientation on how\n                           to comply with the agency\'s software management policy.\n\nE. Periodic Inspections and Assessments. Develop a system (possibly in conjunction with\nthe IG or other agency assessment tool) for periodic and random inspections and assessments\nto evaluate the effectiveness of the software management policy. (A tool kit of helpful practices\nis to be published separately to assist agencies with implementation).\n\nIII OTHER REQUIREMENTS\nSoftware Use by Government Contractors and Recipients of Federal Funds. The\nExecutive Order requires government contractors and recipients of Federal grants and loans to\nhave "appropriate systems and controls in place to ensure that Federal funds are not used to\nacquire, operate, or maintain computer software in violation of applicable copyright laws." If an\nagency becomes aware that contractors or recipients are using Federal funds to acquire,\noperate, or maintain unlicensed software and determine that such actions may affect the\nintegrity of the agency\'s contracting and financial assistance processes, the agency is required\nto "take such measures, including the use of certifications or written assurances, as the agency\nhead deems appropriate and consistent with the requirements of law."\nNOTE: Guidance will be issued separately with respect to these requirements of the\nExecutive Order.\n\n\n\n\n                                               18\n\x0c                                                                                             Appendix D\n                                                    Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\n\nMEMORANDUM TO NRC\xe2\x80\x99S CHIEF INFORMATION OFFICER\n\n\n\n                             August 31, 2001\n\n\n\nMEMORANDUM TO:               Stuart E. Reiter\n                             Chief Information Officer\n\n\nFROM:                        Stephen D. Dingbaum/RA/\n                             Assistant Inspector General for Audits\n\n\nSUBJECT:                     INFORMATION TECHNOLOGY SEAT MANAGEMENT\n                             CONTRACT\n\nOn August 23, 2001, OIG met with Office of the Chief Information Officer (OCIO) staff (Messrs.\nSchaeffer, Shields and Kee) to discuss issues related to our ongoing audit of NRC\xe2\x80\x99s software\nand licensing agreements. The purpose of this memorandum is advise you of an issue that\nneeds immediate attention.\n\nDuring the August 23rd meeting, we discussed the forthcoming seat management contract and\nhow it addresses the requirements contained in Executive Order (EO) 13103, Computer\nSoftware Piracy. OCIO staff stated that the agency plans to award this contract in early\nSeptember. OIG advised the OCIO staff that the Statement of Work for the proposed contract\ndoes not clearly describe a contractor\xe2\x80\x99s responsibility for meeting the EO\xe2\x80\x99s requirements.\n\nThe OCIO staff advised that meeting these requirements will be a shared responsibility of OCIO\nand the selected contractor. Because neither this division of responsibility or need to meet the\nEO\xe2\x80\x99s requirements are clear, OIG recommends that the seat management contract be specific\nabout the duties assigned to the successful vendor. This action is needed to comply with the\nprovisions of the EO and to protect the NRC, its employees, and the vendor from the potential\nconsequences related to using software that is not properly licensed.\n\nIf you have any questions, please contact Tony Lipuma at 415-5910 or me at 415-5915.\n\nAttachments: As stated\n\ncc:     William D. Travers, EDO\n\n\n\n\n                                               19\n\x0c                   Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              20\n\x0c                                                                                              Appendix E\n                                                     Review of NRC\xe2\x80\x99s Accountability and Control of Software\n\n\nMEMORANDUM FROM NRC\xe2\x80\x99S CHIEF INFORMATION OFFICER\n\n\n\n                              October 16, 2001\n\n\nMEMORANDUM TO:                Stephen Dingbaum\n                              Assistant Inspector General for Audits\n                              Office of the Inspector General\n\n\nFROM:                         Stuart Reiter/RA/\n                              Chief Information Officer\n\n\nSUBJECT:                      INFORMATION TECHNOLOGY SEAT MANAGEMENT\n                              CONTRACT\n\nThis is in response to your memorandum dated August 31, 2001, subject as above. As\ndiscussed in the August 23, 2001 meeting with Tony Lipuma, we will work with the Office of the\nInspector General (OIG) to address the requirements contained in Executive Order (EO) 13103,\nComputer Software Piracy. The Office of the Chief Information Officer has policies and\nprocedures in place to address some of the requirements of the EO, and will work with the\nagency to modify and enhance them as necessary. We would appreciate any\nrecommendations the OIG can provide on implementing the requirements of the EO.\n\nThe Statement of Work for the NRC Infrastructure Services and Support Contract was awarded\non September 28, 2001 under the GSA Seat Management Contract. It requires the contractor\nto track the installation, location, related license, warranty, maintenance and service records for\nall hardware and software provided under the order and hardware connected to it, including\nNRC-owned and personally-owned hardware and software. However, the major requirements\nin this area are for the vendor to provide an inventory of software installed on agency hardware\nand maintain licenses for software they manage, acquire, and/or install under the Statement of\nWork.\n\nThe next step will be for the contractor to develop a detailed Concept of Operations for NRC\napproval that will specify how they will meet agency inventory, license management, and other\noperational requirements. Please contact James B. Schaeffer (415-8720, JBS) if you have any\nquestions or to arrange any assistance you may be able to provide.\n\ncc: W. Travers, EDO\n\n\n\n\n                                                21\n\x0c'